RITA Real Intelligence Threat Analytics Cheat Sheet
Überblick
RITA (Real Intelligence Threat Analytics) ist ein Open-Source-Framework für die Netzwerk-Verkehrsanalyse, das Zeek (früher Bro) loggt und erkennt Indikatoren von Kompromissen durch statistische Analyse. Es identifiziert Beaconing-Verhalten, DNS-Tunneling, lange Verbindungen und andere verdächtige Netzwerkaktivitäten, die häufig mit fortgeschrittenen persistenten Bedrohungen (APTs) verbunden sind.
ZEIT Warnung: Dieses Tool ist nur für eine autorisierte Netzwerküberwachung und Sicherheitsanalyse bestimmt. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Analyse des Netzwerkverkehrs haben.
Installation
Ubuntu/Debian Installation
```bash
Add MongoDB repository
wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc|sudo apt-key add - echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse"|sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list
Update package list
sudo apt update
Install MongoDB
sudo apt install -y mongodb-org
Start MongoDB service
sudo systemctl start mongod sudo systemctl enable mongod
Install RITA
wget https://github.com/activecm/rita/releases/download/v4.8.0/rita chmod +x rita sudo mv rita /usr/local/bin/
Verify installation
rita --version ```_
Docker Installation
```bash
Clone RITA repository
git clone https://github.com/activecm/rita.git cd rita
Build Docker containers
docker-compose up -d
Run RITA in container
docker-compose exec rita rita --version ```_
Manuelle Installation
```bash
Install Go (if not already installed)
wget https://golang.org/dl/go1.19.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz export PATH=$PATH:/usr/local/go/bin
Clone and build RITA
git clone https://github.com/activecm/rita.git cd rita make install
Copy binary to system path
sudo cp rita /usr/local/bin/ ```_
Konfiguration
Erster Setup
```bash
Create RITA configuration directory
sudo mkdir -p /etc/rita
Generate default configuration
rita test-config
Copy configuration file
sudo cp etc/rita.yaml /etc/rita/config.yaml
Edit configuration
sudo nano /etc/rita/config.yaml ```_
Konfiguration Dateistruktur
```yaml
/etc/rita/config.yaml
MongoDB: ConnectionString: mongodb://localhost:27017 AuthenticationMechanism: "" SocketTimeout: 2 TLS: Enable: false VerifyCertificate: false CAFile: ""
LogLevel: 2 LogPath: "/var/lib/rita/logs"
Rolling: DefaultChunks: 24
Filtering: AlwaysInclude: [] NeverInclude: [] InternalSubnets: []
UserInterface: DefaultResultLimit: 1000
Blacklisted: feodo.abuse.ch: true malwaredomainlist.com: true
BeaconSNI: DefaultConnectionThresh: 20
DNS: DefaultConnectionThresh: 20
Strobe: ConnectionLimit: 250000 ```_
Datenbankkonfiguration
```bash
Test MongoDB connection
mongo --eval "db.runCommand(\\{connectionStatus : 1\\})"
Create RITA database user (optional)
mongo admin --eval " db.createUser(\\{ user: 'rita_user', pwd: 'secure_password', roles: [ \\{role: 'readWrite', db: 'rita'\\}, \\{role: 'readWrite', db: 'MetaDatabase'\\} ] \\}) "
Update config for authentication
sudo nano /etc/rita/config.yaml
Add authentication details to MongoDB section
```_
Basisnutzung
Befehlsstruktur
```bash
Basic syntax
rita [command] [options]
Get help
rita --help rita [command] --help
Check version
rita --version ```_
Verfügbare Befehle
| | Command | Description | |
| --- | --- |
| | import | Import Zeek logs into RITA database | |
| | analyze | Analyze imported data for threats | |
| | show-databases | List available databases | |
| | show-beacons | Display beacon analysis results | |
| | show-strobes | Display strobe analysis results | |
| | show-dns | Display DNS analysis results | |
| | show-blacklisted | Display blacklisted connections | |
| | show-useragents | Display user agent analysis | |
| | show-long-connections | Display long connection analysis | |
| | delete | Delete database | |
| | test-config | Test configuration file | |
Datenimport und -analyse
Zeek Logs importieren
```bash
Import single log directory
rita import /path/to/zeek/logs dataset_name
Import with specific time range
rita import --rolling /path/to/zeek/logs dataset_name
Import compressed logs
rita import /path/to/zeek/logs.tar.gz dataset_name
Import with custom chunk size
rita import --chunk-size 1000000 /path/to/zeek/logs dataset_name
Import and analyze immediately
rita import --analyze /path/to/zeek/logs dataset_name ```_
Laufende Analyse
```bash
Analyze imported dataset
rita analyze dataset_name
Analyze with custom parameters
rita analyze --threads 4 dataset_name
Analyze specific modules only
rita analyze --beacon --dns dataset_name
Force re-analysis
rita analyze --force dataset_name ```_
Datenbankverwaltung
```bash
List all databases
rita show-databases
Show database information
rita show-databases --details
Delete database
rita delete dataset_name
Delete multiple databases
rita delete dataset1 dataset2 dataset3 ```_
Threat Detection Module
Beacon-Detektion
```bash
Show beacon analysis results
rita show-beacons dataset_name
Show top beacons with details
rita show-beacons --limit 20 dataset_name
Show beacons for specific source
rita show-beacons --src 192.168.1.100 dataset_name
Export beacon results to CSV
rita show-beacons --csv dataset_name > beacons.csv
Show beacon details with human-readable format
rita show-beacons --human-readable dataset_name ```_
DNS-Analyse
```bash
Show DNS analysis results
rita show-dns dataset_name
Show DNS tunneling indicators
rita show-dns --limit 50 dataset_name
Show DNS for specific domain
rita show-dns --domain suspicious.com dataset_name
Export DNS results
rita show-dns --csv dataset_name > dns_analysis.csv
Show DNS with subdomain analysis
rita show-dns --subdomain-analysis dataset_name ```_
Lange Verbindungsanalyse
```bash
Show long connections
rita show-long-connections dataset_name
Show connections longer than specific duration
rita show-long-connections --duration 3600 dataset_name
Show long connections for specific host
rita show-long-connections --src 192.168.1.100 dataset_name
Export long connections
rita show-long-connections --csv dataset_name > long_connections.csv ```_
Strobe Erkennung
```bash
Show strobe analysis (port scanning)
rita show-strobes dataset_name
Show strobes with specific threshold
rita show-strobes --limit 10 dataset_name
Show strobes for specific source
rita show-strobes --src 192.168.1.100 dataset_name
Export strobe results
rita show-strobes --csv dataset_name > strobes.csv ```_
Blacklistd Connections
```bash
Show blacklisted connections
rita show-blacklisted dataset_name
Show blacklisted with details
rita show-blacklisted --details dataset_name
Show blacklisted for specific source
rita show-blacklisted --src 192.168.1.100 dataset_name
Export blacklisted connections
rita show-blacklisted --csv dataset_name > blacklisted.csv ```_
Analyse des Benutzers
```bash
Show user agent analysis
rita show-useragents dataset_name
Show rare user agents
rita show-useragents --rare dataset_name
Show user agents for specific host
rita show-useragents --src 192.168.1.100 dataset_name
Export user agent analysis
rita show-useragents --csv dataset_name > useragents.csv ```_
Erweiterte Analysetechniken
Benutzerdefinierte Filterung
```bash
Analyze specific IP ranges
rita import --filter-internal 192.168.0.0/16,10.0.0.0/8 /path/to/logs dataset_name
Exclude specific networks
rita import --filter-external 8.8.8.8/32 /path/to/logs dataset_name
Custom time window analysis
rita import --start-time "2023-01-01 00:00:00" --end-time "2023-01-02 00:00:00" /path/to/logs dataset_name ```_
Threat Hunting Quers
```bash
Find potential C2 beacons with high confidence
rita show-beacons --score-threshold 0.8 dataset_name
Identify DNS tunneling attempts
rita show-dns --query-length-threshold 50 dataset_name
Find long-duration connections (potential persistence)
rita show-long-connections --duration 7200 dataset_name
Detect port scanning activity
rita show-strobes --connection-threshold 100 dataset_name ```_
Kreuzdatensatzanalyse
```bash
Compare multiple datasets
rita show-beacons dataset1 > beacons1.csv rita show-beacons dataset2 > beacons2.csv
Find common indicators across datasets
| comm -12 <(cut -d',' -f1 beacons1.csv | sort) <(cut -d',' -f1 beacons2.csv | sort) |
Analyze trends over time
for dataset in dataset_day1 dataset_day2 dataset_day3; do echo "=== $dataset ===" rita show-beacons --limit 5 $dataset done ```_
Automatisierung und Schrift
Automatisierte Analyse Pipeline
```bash
!/bin/bash
LOG_DIR="/var/log/zeek" DATASET_PREFIX="daily_analysis" RETENTION_DAYS=30
Function to process daily logs
process_daily_logs() \\{ local date=$1 local dataset_name="$\\{DATASET_PREFIX\\}_$\\{date\\}" local log_path="$\\{LOG_DIR\\}/$\\{date\\}"
if [ -d "$log_path" ]; then
echo "[+] Processing logs for $date"
# Import logs
rita import "$log_path" "$dataset_name"
# Run analysis
rita analyze "$dataset_name"
# Generate reports
generate_reports "$dataset_name" "$date"
echo "[+] Analysis complete for $date"
else
echo "[-] No logs found for $date"
fi
\\}
Function to generate reports
generate_reports() \\{ local dataset=$1 local date=$2 local report_dir="/var/lib/rita/reports/$\\{date\\}"
mkdir -p "$report_dir"
# Generate beacon report
rita show-beacons --csv "$dataset" > "$\\\\{report_dir\\\\}/beacons.csv"
# Generate DNS report
rita show-dns --csv "$dataset" > "$\\\\{report_dir\\\\}/dns.csv"
# Generate long connections report
rita show-long-connections --csv "$dataset" > "$\\\\{report_dir\\\\}/long_connections.csv"
# Generate strobe report
rita show-strobes --csv "$dataset" > "$\\\\{report_dir\\\\}/strobes.csv"
# Generate blacklisted report
rita show-blacklisted --csv "$dataset" > "$\\\\{report_dir\\\\}/blacklisted.csv"
# Create summary report
create_summary_report "$dataset" "$report_dir"
\\}
Function to create summary report
create_summary_report() \\{ local dataset=$1 local report_dir=$2 local summary_file="$\\{report_dir\\}/summary.txt"
echo "RITA Analysis Summary for $dataset" > "$summary_file"
echo "Generated: $(date)" >> "$summary_file"
echo "=================================" >> "$summary_file"
echo "" >> "$summary_file"
# Count findings
local beacon_count=$(rita show-beacons "$dataset"|wc -l)
local dns_count=$(rita show-dns "$dataset"|wc -l)
local long_conn_count=$(rita show-long-connections "$dataset"|wc -l)
local strobe_count=$(rita show-strobes "$dataset"|wc -l)
local blacklisted_count=$(rita show-blacklisted "$dataset"|wc -l)
echo "Findings Summary:" >> "$summary_file"
echo "- Beacons: $beacon_count" >> "$summary_file"
echo "- DNS Anomalies: $dns_count" >> "$summary_file"
echo "- Long Connections: $long_conn_count" >> "$summary_file"
echo "- Strobes: $strobe_count" >> "$summary_file"
echo "- Blacklisted: $blacklisted_count" >> "$summary_file"
echo "" >> "$summary_file"
# Top findings
echo "Top 5 Beacons:" >> "$summary_file"
rita show-beacons --limit 5 "$dataset" >> "$summary_file"
echo "" >> "$summary_file"
echo "Top 5 DNS Anomalies:" >> "$summary_file"
rita show-dns --limit 5 "$dataset" >> "$summary_file"
\\}
Cleanup old datasets
cleanup_old_datasets() \\{ local cutoff_date=$(date -d "$RETENTION_DAYS days ago" +%Y-%m-%d)
| rita show-databases | grep "$DATASET_PREFIX" | while read dataset; do | local dataset_date=$(echo "$dataset"|sed "s/$\\{DATASET_PREFIX\\}_//") if [[ "$dataset_date" ``< "$cutoff_date" ]]; then echo "[+] Deleting old dataset: $dataset" rita delete "$dataset" fi done \}
Main execution
DATE=$\{1:-$(date -d "yesterday" +%Y-%m-%d)\} process_daily_logs "$DATE" cleanup_old_datasets ```_
Echtzeit Monitoring Script
```bash
!/bin/bash
ZEEK_LOG_DIR="/opt/zeek/logs/current" RITA_DATASET="realtime_$(date +%Y%m%d_%H%M%S)" CHECK_INTERVAL=300 # 5 minutes ALERT_THRESHOLD_BEACONS=10 ALERT_THRESHOLD_DNS=20
Function to check for new threats
check_threats() \{ local dataset=$1
# Check beacon count
local beacon_count=$(rita show-beacons "$dataset"|wc -l)
if [ "$beacon_count" -gt "$ALERT_THRESHOLD_BEACONS" ]; then
send_alert "High beacon activity detected: $beacon_count beacons found"
rita show-beacons --limit 10 "$dataset"|mail -s "RITA Alert: Beacon Activity" security@company.com
fi
# Check DNS anomalies
local dns_count=$(rita show-dns "$dataset"|wc -l)
if [ "$dns_count" -gt "$ALERT_THRESHOLD_DNS" ]; then
send_alert "High DNS anomaly activity: $dns_count anomalies found"
rita show-dns --limit 10 "$dataset"|mail -s "RITA Alert: DNS Anomalies" security@company.com
fi
# Check for blacklisted connections
local blacklisted_count=$(rita show-blacklisted "$dataset"|wc -l)
if [ "$blacklisted_count" -gt 0 ]; then
send_alert "Blacklisted connections detected: $blacklisted_count connections"
rita show-blacklisted "$dataset"|mail -s "RITA Alert: Blacklisted Connections" security@company.com
fi
\}
Function to send alerts
send_alert() \{ local message=$1 echo "[ALERT] $(date): $message" logger "RITA_ALERT: $message"
# Send to SIEM or alerting system
curl -X POST -H "Content-Type: application/json" \
-d "\\\{\"alert\":\"$message\",\"timestamp\":\"$(date -Iseconds)\"\\\}" \
http://siem.company.com/api/alerts
\}
Main monitoring loop
echo "[+] Starting RITA real-time monitoring" echo "[+] Dataset: $RITA_DATASET" echo "[+] Check interval: $CHECK_INTERVAL seconds"
while true; do echo "[+] $(date): Importing latest logs..."
# Import latest logs
rita import "$ZEEK_LOG_DIR" "$RITA_DATASET"
# Run analysis
rita analyze "$RITA_DATASET"
# Check for threats
check_threats "$RITA_DATASET"
echo "[+] $(date): Check complete, sleeping for $CHECK_INTERVAL seconds"
sleep "$CHECK_INTERVAL"
done ```_
Threat Intelligence Integration
```bash
!/bin/bash
Function to update threat intelligence feeds
update_threat_feeds() \{ local config_file="/etc/rita/config.yaml" local temp_config="/tmp/rita_config_temp.yaml"
echo "[+] Updating threat intelligence feeds..."
# Download latest IOCs
wget -q -O /tmp/feodo_tracker.txt "https://feodotracker.abuse.ch/downloads/ipblocklist.txt"
wget -q -O /tmp/malware_domains.txt "http://www.malwaredomainlist.com/hostslist/hosts.txt"
# Update RITA configuration with new feeds
cp "$config_file" "$temp_config"
# Add new blacklisted domains/IPs
python3 << EOF
import yaml import requests
Load current config
with open('$temp_config', 'r') as f: config = yaml.safe_load(f)
Update blacklisted section
if 'Blacklisted' not in config: config['Blacklisted'] = \{\}
Add Feodo tracker IPs
with open('/tmp/feodo_tracker.txt', 'r') as f: for line in f: ip = line.strip() if ip and not ip.startswith('#'): config['Blacklisted'][ip] = True
Save updated config
with open('$temp_config', 'w') as f: yaml.dump(config, f, default_flow_style=False) EOF
# Backup original and update
cp "$config_file" "$\\\{config_file\\\}.backup.$(date +%Y%m%d)"
sudo cp "$temp_config" "$config_file"
echo "[+] Threat intelligence feeds updated"
\}
Function to correlate with external threat intelligence
correlate_with_ti() \{ local dataset=$1 local output_dir="/var/lib/rita/ti_correlation"
mkdir -p "$output_dir"
# Extract unique IPs from RITA results
| rita show-beacons --csv "$dataset" | cut -d',' -f2 | sort -u >`` "$\\{output_dir\\}/beacon_ips.txt" | | rita show-dns --csv "$dataset" | cut -d',' -f2 | sort -u > "$\\{output_dir\\}/dns_domains.txt" |
# Check against VirusTotal (requires API key)
if [ ! -z "$VT_API_KEY" ]; then
echo "[+] Checking IPs against VirusTotal..."
while read ip; do
if [ ! -z "$ip" ]; then
curl -s -H "x-apikey: $VT_API_KEY" \
"https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=$VT_API_KEY&ip;=$ip" \
>> "$\\\\{output_dir\\\\}/vt_ip_results.json"
sleep 1 # Rate limiting
fi
done < "$\\\\{output_dir\\\\}/beacon_ips.txt"
fi
# Check against AbuseIPDB (requires API key)
if [ ! -z "$ABUSEIPDB_API_KEY" ]; then
echo "[+] Checking IPs against AbuseIPDB..."
while read ip; do
if [ ! -z "$ip" ]; then
curl -s -H "Key: $ABUSEIPDB_API_KEY" \
-H "Accept: application/json" \
"https://api.abuseipdb.com/api/v2/check?ipAddress=$ip&maxAgeInDays;=90" \
>> "$\\\\{output_dir\\\\}/abuseipdb_results.json"
sleep 1 # Rate limiting
fi
done ``< "$\\\{output_dir\\\}/beacon_ips.txt"
fi
echo "[+] Threat intelligence correlation complete"
\}
Update feeds and run correlation
update_threat_feeds correlate_with_ti "$1" ```_
Integration mit anderen Tools
Zeek Integration
```bash
Configure Zeek to output logs in RITA-compatible format
/opt/zeek/share/zeek/site/local.zeek
@load base/protocols/conn @load base/protocols/dns @load base/protocols/http @load base/protocols/ssl
Enable JSON output for better RITA compatibility
@load policy/tuning/json-logs.zeek
Custom log rotation for RITA
redef Log::default_rotation_interval = 1hr; redef Log::default_rotation_postprocessor = Log::run_rotation_postprocessor_cmd; redef Log::rotation_postprocessor_cmd = "gzip"; ```_
ELK Stack Integration
```bash
Logstash configuration for RITA results
/etc/logstash/conf.d/rita.conf
input \{ file \{ path =>`` "/var/lib/rita/reports/*/beacons.csv" start_position => "beginning" sincedb_path => "/dev/null" codec => "plain" type => "rita_beacons" \\}
file \\{ path => "/var/lib/rita/reports/*/dns.csv" start_position => "beginning" sincedb_path => "/dev/null" codec => "plain" type => "rita_dns" \\} \\}
filter \\{ if [type] == "rita_beacons" \\{ csv \\{ columns => ["source", "destination", "connections", "avg_bytes", "score"] separator => "," \\}
mutate \\\\{
convert => \\\\{
"connections" => "integer"
"avg_bytes" => "integer"
"score" => "float"
\\\\}
\\\\}
\\}
if [type] == "rita_dns" \\{ csv \\{ columns => ["query", "source", "query_count", "unique_subdomains"] separator => "," \\}
mutate \\\\{
convert => \\\\{
"query_count" => "integer"
"unique_subdomains" => "integer"
\\\\}
\\\\}
\\} \\}
output \\{ elasticsearch \\{ hosts => ["localhost:9200"] index => "rita-%\\{type\\}-%\\{+YYYY.MM.dd\\}" \\} \\} ```_
Integration von Splunk
```bash
Splunk inputs.conf for RITA data
[monitor:///var/lib/rita/reports/*/beacons.csv] disabled = false sourcetype = rita:beacons index = security
[monitor:///var/lib/rita/reports/*/dns.csv] disabled = false sourcetype = rita:dns index = security
Splunk props.conf for RITA data
[rita:beacons] SHOULD_LINEMERGE = false FIELD_DELIMITER = , FIELD_NAMES = source,destination,connections,avg_bytes,score
[rita:dns] SHOULD_LINEMERGE = false FIELD_DELIMITER = , FIELD_NAMES = query,source,query_count,unique_subdomains ```_
Leistungsoptimierung
Datenbankoptimierung
```bash
MongoDB optimization for RITA
/etc/mongod.conf
storage: dbPath: /var/lib/mongodb journal: enabled: true wiredTiger: engineConfig: cacheSizeGB: 8 # Adjust based on available RAM
systemLog: destination: file logAppend: true path: /var/log/mongodb/mongod.log
net: port: 27017 bindIp: 127.0.0.1
Create indexes for better performance
mongo rita --eval " db.conn.createIndex(\\{src: 1, dst: 1\\}); db.dns.createIndex(\\{query: 1, src: 1\\}); db.http.createIndex(\\{src: 1, dst: 1\\}); " ```_
Ressourcenmanagement
```bash
Optimize RITA for large datasets
export GOMAXPROCS=8 # Set to number of CPU cores export GOGC=100 # Garbage collection percentage
Run analysis with custom memory settings
rita analyze --threads 8 --chunk-size 500000 dataset_name
Monitor resource usage during analysis
top -p $(pgrep rita) iostat -x 1 ```_
Fehlerbehebung
Gemeinsame Themen
```bash
MongoDB connection issues
sudo systemctl status mongod sudo systemctl restart mongod
Check MongoDB logs
sudo tail -f /var/log/mongodb/mongod.log
Test RITA configuration
rita test-config
Check RITA logs
tail -f /var/lib/rita/logs/rita.log
Verify Zeek log format
head -n 5 /path/to/zeek/logs/conn.log ```_
Debug Mode
```bash
Enable debug logging
rita --debug import /path/to/logs dataset_name
Verbose analysis
rita --verbose analyze dataset_name
Check database contents
mongo rita --eval "db.stats()" mongo rita --eval "db.conn.count()" ```_
Leistungsfragen
```bash
Check database size
mongo rita --eval "db.stats().dataSize"
Optimize database
mongo rita --eval "db.runCommand(\\{compact: 'conn'\\})"
Check system resources
free -h df -h iostat -x 1 5 ```_
Best Practices
Datenverwaltung
- Regular cleanup: Entfernen Sie alte Datensätze, um Speicherplatz zu verwalten
- Index Optimierung: angemessene Mongo DB-Index
- Log Rotation: Durchführung richtig Zeek log Rotation
- *Backup-Strategie: Regelmäßige Sicherung von RITA-Datenbanken
- Monitoring: Systemressourcen während der Analyse überwachen
Analysestrategie
```bash
Phased analysis approach
Phase 1: Import and basic analysis
rita import /path/to/logs dataset_name rita analyze dataset_name
Phase 2: Detailed threat hunting
rita show-beacons --score-threshold 0.7 dataset_name rita show-dns --query-length-threshold 40 dataset_name
Phase 3: Correlation and investigation
Correlate findings with external threat intelligence
Investigate high-confidence indicators
```_
Operationelle Sicherheit
```bash
Secure RITA deployment
1. Restrict database access
sudo ufw allow from 127.0.0.1 to any port 27017
2. Encrypt sensitive data
Use MongoDB encryption at rest
3. Secure log storage
sudo chmod 750 /var/lib/rita sudo chown rita:rita /var/lib/rita
4. Regular updates
sudo apt update && sudo apt upgrade rita ```_
Ressourcen
- [RITA GitHub Repository](_LINK_5___ -%20RITA%20Dokumentation
- Aktive Gegenmaßnahmen Blog
- [Zeek Network Security Monitor](LINK_5 -%20MongoDB%20Dokumentation
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von RITA. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Berechtigung haben, bevor Sie die Netzwerk-Verkehrsanalyse und -überwachung durchführen. *